The present invention relates to computer architecture and data security within computer systems and, in particular, to a method and system for providing, to processes operating at certain selected privilege levels, access to a memory region while preventing processes operating at other privilege levels from accessing the memory region.
The present invention is related to security and access privileges within a computer system that allow processes executing at certain privilege levels to access a region of memory while preventing processes executing at other privilege levels from accessing the memory region. The topics of computer architecture and memory security are far too complex to summarize comprehensively in this section. Instead, a simplified, but adequate, background is presented in this section as a basis for presenting a detailed description of several embodiments of the claimed invention in a subsequent section.
FIG. 1 is a block diagram showing hardware, operating-system, and application-program layers within a generalized computer system. A computer system 100 can be considered to comprise a hardware layer 102, an operating system layer 104, and an application-programming layer 106. Computer systems are quite complex, with many additional components, sub-layers, and logical entity interrelationships, but the 3-layer hierarchy shown in FIG. 1 represents a logical view of computer systems commonly employed within the computer software and hardware industries.
The hardware layer 102 comprises the physical components of a computer system. These physical components include, for many small computer systems, a processor 108, memory storage components 110, 112, and 114, internal buses and signal lines 116-119, bus interconnect devices 120 and 122, and various microprocessor-based peripheral interface cards 124-129. The processor 108 is an instruction-execution device that executes a stream of instructions obtained by the processor from internal memory components 110, 112, and 114. The processor contains a small number of memory storage components referred to as registers 130 that can be quickly accessed. Data and instructions are read from, and written to, the memory components 110, 112, and 114 via internal buses 116 and 117 and the bus interconnect device 120. Far greater data storage capacity resides in peripheral data storage devices such as disk drives, CD-ROM drives, DVD drives, and other such components that are accessed by the processor via internal buses 116, 118, and 119, interconnect devices 120 and 122, and one or more of the peripheral device interconnect cards 124-129. For example, the stored instructions of a large program may reside on a disk drive for retrieval and storage in internal memory components 110, 112, and 114 on an as-needed basis during execution of the program. More sophisticated computers may include multiple processors with correspondingly more complex internal bus interconnections and additional components.
The operating system layer 104 is a logical layer comprising various software routines that execute on the processor 108 or one or more of a set of processors and that manage the physical components of the computer system. Certain operating system routines, in a traditional computer system, run at higher priority then user-level application programs, coordinating concurrent execution of many application programs and providing each application program with a run-time environment that includes processor time, a region of memory addressed by an address space provided to the application program, and a variety of data input and output services, including access to memory components, peripheral devices, communications media, and other internal and external devices. Currently running programs are executed in the context of a process, a logical entity defined by various state variables and data structures managed by the operating system. One important internal data structure managed by the operating system is a process queue 132 that contains, for each currently active process, a process-control block or similar data structure that stores data that defines the state of the currently active process managed by the operating system.
The application-programming and user interface layer 106 is the user-visible layer of the computer system. The current invention relates primarily to the application program interface as well as to internal kernel and operating-system interfaces, and thus the application-programming and user interface layer will be discussed primarily with reference to the application program interface. An application program comprises a long set of stored instructions 134, a memory region addressed within an address space provided by the operating system to the process executing the application program 136, and a variety of services 138-142 provided through the operating-system interface that allow the application program to store data to, and retrieve data from, external devices, access system information, such as an internal clock and system configuration information, and to access additional services.
FIG. 2 illustrates the concept of privilege within a traditional computer system, such as the computer system diagrammed in FIG. 1. A privilege level is a value contained within a process-status control register of a processor within the hardware layer of the computer system. Many current computer systems employ two privilege levels: (1) a most privileged level, or kernel-privilege level; and (2) a less privileged level, or application-program privilege level. In computer systems providing two privilege levels, the current privilege level (xe2x80x9cCPLxe2x80x9d) for a currently executing process can be represented by a single CPL bit within the process status register. When the CPL bit has the value xe2x80x9c0,xe2x80x9d the currently executing process executes at kernel-privilege level, and when the CPL bit has a value of xe2x80x9c1,xe2x80x9d the currently executing process executes at application-privilege level. The privilege level at which a process executes determines the total range or ranges of virtual memory that the process can access and the range of instructions within the total instruction set that can be executed by the processor on behalf of the process. In FIG. 2, the area within outer circle 202 represents the resources accessible by a processor executing at kernel-privilege level, privilege level 0, and the area within the inner circle 204 represents resources accessible by a process executing at application-privilege level, privilege level 1. In FIG. 2, the left-hand rectangle 206 represents the entire instruction set provided by the processor architecture, and right-hand rectangle 208 represents the entire range of addressable virtual memory that can be accessed by a routine executing at the most privileged level. A process executing with privilege level 0 (202 in FIG. 2) can access the entire instruction set 206 and the entire addressable virtual memory 208 of the computer system. However, a process executing at privilege level 2 (204 in FIG. 2) can access only a portion of the instruction set 210 (represented by the cross-hatched region of the entire instruction set 206) and only a portion 212 of the entire addressable memory 208.
The privilege concept is used to prevent full access to computing resources by application programs. In order to obtain services that employ resources not directly available to application programs, application programs need to call operating system routines through the operating system interface. Operating system routines can promote the CPL to privilege level 0 in order to access the necessary resources, carry out a task requested by an application program, and then return control to the application program while simultaneously demoting the CPL back to privilege level 1. By restricting application-program access to computer resources, an operating system can maintain operating-system-only-accessible data structures for managing many different, concurrently executing programs, in the case of a single-processor computer, and, on a multi-processor computing system, many different concurrently executing application programs, a number of which execute in parallel. Privilege levels also prevent the processor from executing certain privileged instructions on behalf of application programs. For example, instructions that alter the contents of the process status register may be privileged, and may be executed by the processor only on behalf of an operating system routine running at privilege level 0. Generally, restricted instructions include instructions that manipulate the contents of control registers and special operating-system-specific data structures.
As an example of the use of privilege levels, consider concurrent execution of multiple processes, representing multiple application programs managed by the operating system in a single-processor computer system. The processor can execute instructions on behalf of only a single process at a time. The operating system may continuously schedule concurrently executing processes for brief periods of execution in order to provide, over time, a fraction of the total processing bandwidth of the computer system to each running application program. The operating system schedules a process for execution by removing the process-control block corresponding to the process from the process queue and writing the contents of various memory locations within the process-control block into various control registers and operating-system data structures. Similarly, the operating system removes a process from the executing state by storing the contents of control registers and operating-system data structures into the corresponding process-control block and re-queuing the process-control block to the process queue. Operating system routines are invoked through system calls, faults, traps, and interrupts during the course of execution of an application program. By maintaining the process queue in memory accessible only to routines executing at privilege level 0, and by ensuring that some or all instructions required to store and retrieve data from control registers are privilege level 0 instructions, the architecture of the computing system ensures that only operating-system routines can schedule application processes for execution. Thus, an application program may not manipulate the process queue and control registers in order to monopolize system resources and prevent other application programs from obtaining computing resources for concurrent execution.
The operating system, as part of providing an application programming environment, provides both application-specific and application-sharable memory to application programs. An application program may store private data that the application wishes to be inaccessible to other application programs in private memory regions, and may exchange data with other application programs by storing date in sharable memory. Access to memory is controlled by the operating system through address mapping and access privileges associated with memory pages, each memory page generally comprising some fixed number of 8-bit bytes. Because the instructions and operating-system data structures necessary for memory mapping and access privilege assignment include instructions and memory accessible only to routines executing at privilege level 0, an application program executing at privilege level 1 may not remap memory or reassign access privileges in order to gain access to the private memory of other application programs. The operating system routines that control memory mapping and access-privilege assignment protect one application program""s private memory from that of other application programs. As one example, an application program executing on behalf of one user may store data-encryption keys within private memory that allow the user to access confidential user-information via the Internet, including user-account information. By controlling access to memory and instructions via privilege levels, the computer system ensures that only trusted operating system routines and one application program can maintain the data encryption keys in memory private to the application program, so that application programs running on behalf of other users may not access the first user""s data encryption keys in order to access the first user""s account information. Unfortunately, most currently available operating systems are not verifiably secure, and contain security holes and breaches that may allow knowledgeable and malicious users to access private memory allocated to other users.
FIG. 3 shows logical layers that may intercooperate within a modern, 4-privilege-level computer system. In FIG. 3, the hardware level 302, operating system level 304, and application-programming level 306, are equivalent to the corresponding hardware, operating-system, and application program levels 102, 104, and 106 in the traditional computing system shown in FIG. 1. The 4-privilege-level computer system may also include two additional levels 308 and 310 between the hardware level 302 and the operating system level 304. The first logical level at these additional levels 308 represents certain fundamental, highly-privileged kernel routines that operate at privilege level 0. The second logical layer 310 represents a control-program level that includes various relatively highly privileged service routines that run at privilege level 1. The operating system level 304 includes operating system routines that run at privilege level 2. Application programs, in the 4-privilege-level computer system, run at privilege 3, the least privileged level. The highly-privileged kernel routines that together compose logical layer 308 may be designed to be verifiably correct and provide critical services, including encryption services, that require fully secure management. An application program, for example, running at privilege 3, may call a kernel routine that runs at privilege 0 in order to obtain data encryption keys that the application program can use to encrypt and decrypt sensitive data. While the routines of that run at privilege level 0 may be designed to be 308 verifiably correct, and fully secure, the operating system routines that run in the operating system level at privilege level 2 are not verifiably correct and are not fully secure. Thus, in order to guarantee data encryption key security at the application level, the application program must be able to obtain private memory that can be accessed only by itself and by routines of the secure kernel 308, but that cannot be accessed by routines that run at intervening privilege levels 1 and 2.
FIG. 4 illustrates partitioning of memory resources between privilege levels in a four-privilege-level computer system. Memory resources accessible to routines running at privilege level 0 are represented by the area within the outer circle 402 in FIG. 4. Memory resources accessible to routines running at privilege levels 1, 2, and 3 are represented by the areas within circles 404, 406, and 408, respectively. The total accessible memory is represented by rectangle 410. As shown in FIG. 4, a process running at privilege level 3 can only access a subset 412 of the total memory space. However, an operating-system routine operating at privilege level 2 can access memory accessible by an application program running at privilege 3 as well as additional memory 414-415 accessible to routines running at privilege levels 2-0. In similar fashion, a routine running at privilege level 1 can access memory accessible to routines running at privilege levels 3 and 2, as well as additional memory 416-417 accessible only to processes running at privilege levels 1 and 0. Finally, a routine running at privilege level 0 can access the entire memory space within the computer system.
In view of the nested accessibility of memory to routines running at the various privilege levels, as illustrated in FIG. 4, it is not possible, by privilege level alone, to provide memory to an application program that is accessible by both the application program and by routines running at privilege level 0. Instead, memory accessible to a routine running at privilege level 3 is generally accessible to routines running at privilege levels 2, 1, and 0. Thus, private memory provided to an application program can also be accessed by operating system routines. However, because operating systems are generally far too complex to be computationally verified and generally include security holes that can be exploited by malicious users to breach security policies adopted by the operating system, it is not possible, using privilege levels alone, to ensure security of private memory accessible to application routines running at privilege level 3. For these reasons, computer architects, software developers, Internet retailers, and computer users have all recognized the need for a method and system for providing memory accessible only to routines executing at arbitrary subsets of privilege levels, particularly at privilege levels 0 and 3.
The present invention is related to computer architecture and secure memory access within computer systems. Certain modern computer architectures provide multiple privilege levels at which processors may execute and which control access to memory pages. Generally, memory and instructions accessible at a lower privilege level are also accessible to processes running at one or more higher privilege levels. It is therefore not possible, using privilege levels alone, to provide memory accessible to a low privilege process and to a high privilege process, but not accessible to intermediate-level processes.
In certain modern computer architectures, memory is protected not only by privilege-level-based access rights, but also by protection keys. In certain modern computer architectures, a number of protection-key registers are included in the control registers accessible to routines running at the most privileged level. Memory pages are associated with 24-bit protection keys. An executing process may access a memory page if a valid protection key equal to the protection key associated with the memory page is currently contained within a protection-key register, if the privilege level associated with the memory page is less privileged or equally privileged to the privilege level of the currently executed process and, finally, if the access mode attempted by the currently executed process is compatible with access mode associated with the memory page and contained within the protection-key register. In certain modern computer architectures featuring protection keys, operating-system routine calls, interrupts, traps, and faults result in promotion of the current privilege level to the highest privilege privilege level prior to dispatch by a kernel routine to an operating system routine with concomitant demotion of the current privilege level to operating-system-privilege level. Any promotion of the current privilege level in such systems occurs via an initial promotion to the most privileged privilege level. By partitioning the 24-bit protection key space into multiple protection-key domains, each protection-key domain associated with a privilege level, by associating memory pages with protection keys selected from the protection-key domain corresponding to the privilege level associated with the memory page, and by invalidating protection-key registers during promotion of the current privilege level to a higher privilege level, it is possible to provide regions of memory that can only be accessed by routines running at low privilege levels and by routines running at the highest privilege level, but not accessible to routines running at intermediate privilege levels.